InstaAgent Removed From iTunes, Google Play For Data Theft

A software developer has discovered that a leading free app on iTunes and Google Play has been sending people’s usernames and passwords to an unknown website.

The malicious app is called InstaAgent, and is touted as an Instagram client. It is also reportedly the most downloaded free app in the UK and Canada.

Data Theft

InstaAgent touts itself as an app that allows the user to see who has viewed their Instagram account. When a user downloads the app, and enters their account information (including usernames and passwords), the app sends these details, unencrypted, to a third-party server, according to the Guardian newspaper.

The discovery of its data stealing activities was made by developer David Layer-Reiss of Peppersoft, who tweeted his warning about the app.

“Who Viewed Your Profile  #Instaagent will send your Instagram Username and Password to an unknown server!,” he warned.

InstaAgent was available on the iTunes store and Google Play Store. Both websites have since removed the app, but not before it was downloaded by thousands of unsuspecting users. Indeed, Google indicates that the app has been downloaded between 100,000 and 500,000 on Google Play.

Instagram users who used the app should therefore consider their Instagram passwords compromised.

Red Faces?

And at least one security expert has noted how both Apple and Google seemed to have been duped by this app, but he said that both firms will no doubt examine how the app managed to bypass their respective screening processes.

“It’s certainly unusual for both the Google and Apple app stores to clear scamware like the InstaAgent profile viewing app, especially given that profile viewing scams have been around for a while and should be pretty well known to the human screeners at these app stores,” commented Tod Beardsley, security research manager at Rapid7.

“With the notable exception of the professional networking site LinkedIn, most social media platforms do not offer this “reverse stalking” capability, but this doesn’t stop the hopeful from trying an app that promises to deliver on impossible functionality,” said Beardsley.

“While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” Beardsley said.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed,” he added. “For example, many people use “unique” passwords that incorporate the site’s name or an easy mnemonic, like “password.Insta” or the like. It wouldn’t be difficult to surmise that someone who used that password might also use “password.Twit” for Twitter.

Beardsley also pointed out that as the passwords were transmitted in the clear (i.e. not encrypted), there is no telling who else also had the opportunity to collect this sensitive data.

“While the availability and popularity of this particular piece of scamware is notable, I’m positive Google and Apple reject countless similar apps routinely, and I’d expect they’ll be taking this failure in their screening process as a learning opportunity to find out what they could have done to catch it in the first place,” said Beardsley.

Are you a security pro? Try our quiz!